IronSights

Threats & attacks

Spear phishing

A targeted phishing attack tailored to a specific individual or organisation, using research and personalisation to appear more credible and increase the likelihood of success.

Also known asspear-phishingtargeted phishingwhaling

In plain English

Unlike mass phishing campaigns that spray generic emails at millions of people, spear phishing is personalised. Attackers research the target on LinkedIn, company websites, and social media to craft emails that reference real colleagues, projects, or events — making them far harder to detect.

Full definition

The cost of personalisation

Generic is a numbers game. Send enough messages and a small percentage of recipients will click. Spear phishing works differently: the attacker picks a target, researches them, and builds a message specific enough to feel real. They might reference your CFO by name, mention a current project, and impersonate a supplier whose domain they have already registered with one character changed. The personalisation is what makes it dangerous.

Australian professional services firms, accounting practices, and construction companies are common targets because they handle large transactions and often rely on email to approve payments. , a form of spear phishing, cost Australian businesses over $79 million in 2022 according to ACCC Scamwatch data. The typical scenario: a convincing email from what appears to be a known contact requesting an urgent payment to a new account.

Detection starts with slowing down. A request for payment, credential change, or data export that arrives with urgency attached should be verified by phone using a number you already have, not one supplied in the message. Technical controls like and help filter impersonated domains, and can flag messages matching known spear phishing patterns. Neither is a substitute for staff who know to pick up the phone.

Keep learning

More terms in the IronSights Glossary.